Re: Level of Abstraction Issue: Similar Applications, "Same" Vulnerability
On Tue, Jun 29, 1999 at 03:52:13PM -0500, Gene Spafford wrote:
> Well, let me weigh in again. I think Pascal covered most of my thoughts here.
> If I send a huge flood of Christmas Tree packets to your network, and
> machines of all kinds crash because the underlying code didn't handle
> unusual combinations of option flags, would that be one CVE entry?
> Even if it crashed Windows, Unix, Mac, VMS and Cisco boxes alike?
One, the end result it the same (e.g. Land) and caused by functionally
similar (but not necessarily the same) code.
> Suppose I send a carefully crafted set of packets to your Linux box.
> Version 93.7 crashes, and version 93.8 lets me on as root. The only
> difference between the two is that some code in the disk driver was
> changed. Is this two CVE entries or one?
Two, the end result is different and caused.
> How would the IDS vendors count these? If the CVE only has entries
> for attacks, and not for code base, will vendor XYZ advertise "We
> catch all 987 attacks in the CVE, plus another 100 that aren't
Vendor will always come up with ways to advertise more vulnerabilities
than the number of entries in the CVE. That is a game you cannot
win so don't even try to play it.
> If you can answer all three questions, plus variants, with a set of
> well-defined rules, then you have the basis for abstraction decisions
> in the CVE. Until you can, any decisions will be ad hoc.
Aleph One / email@example.com
Fingerprint EE C9 E8 AA CB AF 09 61 8C 39 EA 47 A8 6A B8 01